OpenWrt Forum Archive

Topic: Update on Linksys WRT1900AC support

The content of this topic has been archived between 16 Sep 2014 and 7 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Just installed ...

Update F/W to version 7.2.8.6.

Fix issue #20.

Signed-off-by: David Lin <dlin[at]marvell[dot]com>

(Last edited by gufus on 28 Jul 2015, 00:34)

KLit75 wrote:
davidc502 wrote:
KLit75 wrote:

Sorry if this has been asked...like a month ago, I thought I read more specific instructions for flashing (like revert to an early version first?) Looking on the wiki now I don't see any real prerequisites.
In short--can I just flash version 2 wrt1900ac? I'm coming from stock linksys, the most recent firmware. Thanks a lot.
Btw--if there's anything else I should know please share. I have flashed openwrt to this router around Xmas time and back then it was as simple as just installing it.

Flash to v2 only if you have hardware v2 of the Linksys 1900ac.

We want to make sure that is your understanding before flashing. Because if you flash v2 on v1 hardware, it will brick.

Best Regards,

Thanks. Wow...I really am out of the loop. Wasn't even aware of newer hardware. Bought mine last November so I'd assume version 1? But clearly I should do a little homework. Thanks again.

No problem.. I've also updated the Wiki to help clarify the meaning.

Best Regards,

Using username "root".
Authenticating with public key "rsa-key-20120810"


BusyBox v1.23.2 (2015-06-18 06:39:10 CEST) built-in shell (ash)

Linksys WRT1900AC (Mamba)
Security is enabled, and your IP address has been logged.

root@AC1900M:~# find / -name 88W8864.bin
/lib/firmware/mwlwifi/88W8864.bin
/overlay/upper/lib/firmware/mwlwifi/88W8864.bin
/rom/lib/firmware/mwlwifi/88W8864.bin
root@AC1900M:~#
root@AC1900M:~# ls -l /overlay/upper/lib/firmware/mwlwifi/88W8864.bin
-rwxr--r--    1 root     root        116356 Jul 27 17:21 /overlay/upper/lib/firmware/mwlwifi/88W8864.bin
root@AC1900M:~#

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

Just trying to get something to work. With the ipsec firewall portion not working properly, making changes to LUCI, and the UCI files in /etc/config  was not working. I was hoping a more generic simple config might be more comprehensible.


JW0914 wrote:
doitnow wrote:
JW0914 wrote:

Except for the rate limiting applied to ssh, telnet, and openvpn, this is the default firewall for OpenWRT

iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N delegate_input
iptables -t filter -N delegate_output
iptables -t filter -N delegate_forward
iptables -t filter -N delegate_rate_limit
iptables -t filter -N reject

 
   Hello, I've taken this as a starting point for an ipsec firewall. Unfortunately, the script at "http://wiki.openwrt.org/doc/howto/vpn.i … all_script" is not working with my setup on CC rc3. My IPSEC  site-site tunnel is up, but "routing" is not working on hosts connected to the 1990AC.

The errors that are emitted when the firewall scripts run, are "No chain/target/match by that name"

  The targets that are not found include
     zone_vpn
     zone_vpn_ACCEPT
     zone_vpn_INPUT
     zone_vpn_nat

  The script is configuring targets like
     zone_vpn_forward
     zone_vpn_output
     zone_vpn_input
     zone_vpn_dest_ACCEPT
     zone_vpn_src_REJECT

   This seems like it is very close to working, but not quite.

I have very little experience with editing scripts on Linux, so I can't comment as to where exactly the problem is in the script, however I can share why the problem is occurring:

  • OpenWRT uses a custom form of iptables, run by fw3, and because of this, normal chain names won't work.  These include the first set of targets, however the second set is correct for fw3.

My guess is you simply need to edit what your ${zone} variables point to to ensure they point to the second set of targets.

EDIT
I'm curious why you've chosen to manually run a secondary firewall script, and was wondering what you're looking to accomplish by doing so.


  • The reason I ask is what you're attempting to accomplish can probably be done far easier by either adding rules directly via LuCI or manually editing the /etc/config/firewall config file.  If you need to manually have iptables commands ran, then /etc/firewall.user would accomplish the job.

Depending on how complex you need the firewall to be, I think you may be making more work for yourself than what's needed for what you're trying to accomplish

From looking at the script, it would seem like it needs some very minor tweaks:

I take it that fw3 was added after the ipsec firewall script was implemented. It would be a shame to get this far only to be stopped from VPN/OpenWrt goodness by an integral script that has fallen out of support.

I've made the changes you suggest below, but I still have errors about zone_vpn_nat and zone_vpn in particular. What were you interpreting  that led to zone_vpn being unneeded?

  • Remove zone_${zone}  (This shouldn't be needed, if I'm interpreting this correctly)

  • From: zone_${zone}_ACCEPT  to  zone_${zone}_dest_ACCEPT

  • From: zone_${zone}_INPUT  to  zone_${zone}_input

  • I'm not sure about zone_${zone}_nat

The rest would be:

  • zone_${zone}_forward

  • zone_${zone}_output

  • zone_${zone}_src_REJECT  and/or  zone_${zone}_src_DROP


Also, with the secondary script disabled, if you haven't already, I would run fw3 print so you can get an idea of how fw3 sets up the iptables firewall.  In and of itself, fw3's default firewall is the most secure I've seen on a consumer router.

I run two VPN servers on OpenWRT, one with a very strict firewall, limiting it's access, and this is how fw3 configured my rules via LuCI:

doitnow wrote:
JW0914 wrote:

From looking at the script, it would seem like it needs some very minor tweaks:

  • Remove zone_${zone}  (This shouldn't be needed, if I'm interpreting this correctly)

  • From: zone_${zone}_ACCEPT  to  zone_${zone}_dest_ACCEPT

  • From: zone_${zone}_INPUT  to  zone_${zone}_input

  • I'm not sure about zone_${zone}_nat

The rest would be:

  • zone_${zone}_forward

  • zone_${zone}_output

  • zone_${zone}_src_REJECT  and/or  zone_${zone}_src_DROP

Also, with the secondary script disabled, if you haven't already, I would run fw3 print so you can get an idea of how fw3 sets up the iptables firewall.  In and of itself, fw3's default firewall is the most secure I've seen on a consumer router.

I run two VPN servers on OpenWRT, one with a very strict firewall, limiting it's access, and this is how fw3 configured my rules via LuCI:

I take it that fw3 was added after the ipsec firewall script was implemented. It would be a shame to get this far only to be stopped from VPN/OpenWrt goodness by an integral script that has fallen out of support.

I've made the changes you suggest below, but I still have errors about zone_vpn_nat and zone_vpn in particular. What were you interpreting  that led to zone_vpn being unneeded?

Have you tried just utilizing LuCI for the firewall without utilizing the ipsec script?

A lot of the Wikis on OpenWRT are dated... so I'm guessing it was probably written for Barrier Breaker or earlier.  Could that script still be utilized with some tweaking, absolutely... however I think it would probably be far simpler for you to set up firewall rules via LuCI and add custom iptables commands that cannot be added via firewall rules to /etc/firewall.user 

Unless you're setting up a corporate firewall, I think you're making more work for yourself than is needed.  If you can explain what exactly you want to do, I can offer more detailed information.

If you're simply looking to set up firewall rules for a VPN, I wrote a streamlined wiki for getting a VPN up and running, and if it's just basic rules to allow traffic, check out the Network section of it.

(Last edited by JW0914 on 28 Jul 2015, 17:50)

A lot of the Wikis on OpenWRT are dated... so I'm guessing it was probably written for Barrier Breaker or earlier.  Could that script still be utilized with some tweaking, absolutely... however I think it would probably be far simpler for you to set up firewall rules via LuCI and add custom iptables commands that cannot be added via firewall rules to /etc/firewall.user 

   Fair enough. Thank you  for the suggestion!

Unless you're setting up a corporate firewall, I think you're making more work for yourself than is needed.  If you can explain what exactly you want to do, I can offer more detailed information.

    This is intended to be a corporate firewall - allowing a remote office to enjoy a site-site VPN into AWS where we have a server running strongswan.

If you're simply looking to set up firewall rules for a VPN, I wrote a ...

  This is a great document. I have not seen it until now. I've been focusing on the strongswan implimentation, It may be time to consider an alternative in openvpn.

doitnow wrote:
JW0914 wrote:

A lot of the Wikis on OpenWRT are dated... so I'm guessing it was probably written for Barrier Breaker or earlier.  Could that script still be utilized with some tweaking, absolutely... however I think it would probably be far simpler for you to set up firewall rules via LuCI and add custom iptables commands that cannot be added via firewall rules to /etc/firewall.user

   Fair enough. Thank you  for the suggestion!

JW0914 wrote:

Unless you're setting up a corporate firewall, I think you're making more work for yourself than is needed.  If you can explain what exactly you want to do, I can offer more detailed information.

    This is intended to be a corporate firewall - allowing a remote office to enjoy a site-site VPN into AWS where we have a server running strongswan.

JW0914 wrote:

If you're simply looking to set up firewall rules for a VPN, I wrote a ...

  This is a great document. I have not seen it until now. I've been focusing on the strongswan implimentation, It may be time to consider an alternative in openvpn.

Whenever I have time, I've been trying to go through wikis I have enough knowledge to edit and edit them to bring them up to date.  If you do decide to utilize a separate ipsec script and are able to get the minor hiccup worked out, it would be awesome if you could update that wiki to show what needs to be altered to work with fw3 =]

There's a lot of users in this thread who are great at scripting and if one of you have time, could you take a look at that IPSec VPN script wiki to see what needs to be edited to work with fw3?  It would be much appreciated =]

If, due to the corporate firewall, the vpn firewall rules need to be complex, a script might work better since you can utilize if arguments, among other things.  Until someone with more scripting experience than myself is able to comment, it might be worth a look at the OpenVPN Forum, as there should be users there who are familiar with fw3 as well.

I know when I first was trying to figure out which VPN type I wanted to utilize, I looked into StrongSwan and other IPSec VPN options and decided on a SSL VPN instead (due to it's simplicity).  However, I do know IPSec VPNs are more prevalent in the corporate environment for a myriad of reasons, especially it's usefulness: it treats all IP packets the same and therefore can support all IP-based applications.  This is one article I looked at when comparing the two.

(Last edited by JW0914 on 28 Jul 2015, 18:44)

JW0914 wrote:

No problem at all, that's why I asked =]

I save a lot of things to OneNote, and I usually edit Wikis and Tutorials slightly to ensure they all have a cohesive look.  In case you're interested: http://1drv.ms/1LLMfih

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

nitroshift wrote:
JW0914 wrote:

No problem at all, that's why I asked =]

I save a lot of things to OneNote, and I usually edit Wikis and Tutorials slightly to ensure they all have a cohesive look.  In case you're interested: http://1drv.ms/1IpsplW

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

Thanks =]

Here's the new link (I also edited the previous post to show the updated link): http://1drv.ms/1IpsplW

(Last edited by JW0914 on 28 Jul 2015, 20:47)

JW0914 wrote:
nitroshift wrote:
JW0914 wrote:

No problem at all, that's why I asked =]

I save a lot of things to OneNote, and I usually edit Wikis and Tutorials slightly to ensure they all have a cohesive look.  In case you're interested: http://1drv.ms/1LLMfih

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

Thanks =]

Here's the new link (I also edited the previous post to show the updated link): http://1drv.ms/1exMGho

Again, nice. And again, please update the wiki. Thanks.

nitroshift

nitroshift wrote:
JW0914 wrote:
nitroshift wrote:

Nicely written. Please update the wiki observing the github location of the files needed for recovery. Thanks.

nitroshift

Thanks =]

Here's the new link (I also edited the previous post to show the updated link): http://1drv.ms/1IpsplW

Again, nice. And again, please update the wiki. Thanks.

nitroshift

I thought I did... unless you're referencing the source link in the header?

(Last edited by JW0914 on 28 Jul 2015, 20:47)

davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

You're welcome smile You could buy me a beer if we'll meet wink

Kaloz wrote:
davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

You're welcome smile You could buy me a beer if we'll meet wink

You got it!

@nitroshift

I'm still fairly new to github and didn't know how to navigate around to see if you had been able to transfer the tutorial from your old site to github.  I've updated the PDF and DOC formats accordingly to reflect the github address (you already updated the link on the Wiki =]).

(Last edited by JW0914 on 29 Jul 2015, 07:20)

davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

Hi David, Please confirm on the stability. Been on stock for sometime because of the current issues.

Kaloz: Thanks for all the work you did.

Cheers,
Sachin Gopal

sachingopal wrote:
davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

Hi David, Please confirm on the stability. Been on stock for sometime because of the current issues.

Kaloz: Thanks for all the work you did.

Cheers,
Sachin Gopal

Your mileage may vary, but RC3 has been stable, and the new wifi drivers have been stable as well. RC3 only been around 2 weeks, so time will tell, but it is off to a really good start.

Kaloz,

  Will add my thanks for your hard work and diligence in hunting this driver bug down. 

  Does anyone know when the new driver will get posted as part of an RC?

Best,

Phantomsfbw

davidc502 wrote:
sachingopal wrote:
davidc502 wrote:

Kaloz,

I just wanted to say thanks for the work you've done in development. The new drivers have been working great, and RC3 as a whole has been stable so far.

Can I donate?

Hi David, Please confirm on the stability. Been on stock for sometime because of the current issues.

Kaloz: Thanks for all the work you did.

Cheers,
Sachin Gopal

Your mileage may vary, but RC3 has been stable, and the new wifi drivers have been stable as well. RC3 only been around 2 weeks, so time will tell, but it is off to a really good start.

@phantomsfbw

Follow openwrt timeline and look for the corresponding commit. The new driver will be included in the following day build.

nitroshift

(Last edited by nitroshift on 29 Jul 2015, 15:36)

Will do, Thanks nitroshift!

nitroshift wrote:

@phantomsfbw

Follow openwrt timeline and look for the corresponding commit. The new driver will be included in the following day build.

nitroshift